The ARP detection module is a new feature of the 2.00 version. It basically is a script which listens on the tunnel endpoint and detects certain ARP attacks and things like rogue (read: unwanted) DHCP servers.
When the tunnel gets started a perl script is started that listens to all the packets coming in on the virtual interface (tap) on the server. When this script is started, the first thing it does is retrieve the gateway address of the network from the tap interface. This information is retrieved either from the DHCP lease file (in case of a DHCP sensor) or from the database (in case of a static sensor). The next action it will take is to do 4 arp requests to the gateway address. If we get more than 4 replies we know the gateway is already poisoned. If however this is not the case we add the MAC/IP pair belonging to the gateway to a static list. This list is used by the script to validate the ARP requests/replies it detects. For ARP queries it checks the source MAC/IP pair and validates it against the static list. For ARP replies it checks the destination MAC/IP pair. It also checks the source MAC/IP pair but only if the source IP address is within the local network range of the sensor.
Example: We have a gateway in our local network (10.0.0.1 - 00:11:22:33:44:55). This gateway was added to the static list when the tunnel was started.
Static Monitoring list IP Mac Sensor 10.0.0.1 00:11:22:33:44:55 sensor1
Let's say we do an ARP query to the gateway, which would look something like this:
ARPQUERY: aa:bb:cc:dd:ee:ff (10.0.0.10) -> 00:00:00:00:00:00 (10.0.0.1) ARPREPLY: 00:11:22:33:44:55 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10)
In this case we check if the pair (aa:bb:cc:dd:ee:ff - 10.0.0.10) is in the static list. If so, we check if the detected MAC address is different from the one it should have (according to the static list). If the detected MAC address belonging to 10.0.0.10 doesn't match the stored MAC address in the static list from 10.0.0.10 we know we have been poisoned.
We do the same for the reply, but in this case for both source and destination pairs. We always check the destination pair and in this case also the source pair since this is in the local network range. We see the source pair from the reply matches the one in the static list for 10.0.0.1.
Now let's say an attacker is poisoning the gateway between my own host and the gateway. In this case the attacker sends out a lot of ARP replies saying that he is in fact the gateway.
ARPREPLY: 22:22:22:22:22:22 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10) ARPREPLY: 22:22:22:22:22:22 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10) ARPREPLY: 22:22:22:22:22:22 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10) ARPREPLY: 22:22:22:22:22:22 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10) ARPREPLY: 22:22:22:22:22:22 (10.0.0.1) -> aa:bb:cc:dd:ee:ff (10.0.0.10)
The ARP detection script will now try to validate the source MAC/IP pair to the static list and will notice that the source MAC address of these replies are in fact not the correct MAC address (22:22:22:22:22:22 != 00:11:22:33:44:55). The script will now generate an alert that an attacker (22:22:22:22:22:22) is trying to poison the network.
NOTE: The script will always ignore MAC/IP pairs where the MAC address is either 00:00:00:00:00:00 or ff:ff:ff:ff:ff:ff.